termgw-secrets-removal

bender-service.yaml

---
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
  name: bender
  namespace: default
spec:
  protocol: http
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: bender
    'my-meta': my-meta
  name: bender
  namespace: default
spec:
  ports:
  - port: 8080
    name: high
    protocol: TCP
    targetPort: 8080
  selector:
    app: bender
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bender
  namespace: default
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: bender
  name: bender
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: bender
  template:
    metadata:
      labels:
        app: bender
      annotations:
        'consul.hashicorp.com/connect-inject': 'true'
    spec:
      serviceAccountName: bender
      containers:
        - name: bender
          image: nicholasjackson/fake-service:v0.26.0
          ports:
            - containerPort: 8080
          env:
            - name: LISTEN_ADDR
              value: "0.0.0.0:8080"
            - name: NAME
              value: bender
            - name: MESSAGE
              value: "bender bender bender"
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: CONSUL_HTTP_TOKEN
              value: root

cluster.yaml

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: termgw
nodes:
- role: control-plane
  image: kindest/node:v1.25.3
- role: worker
  image: kindest/node:v1.25.3

consul_values.yaml

# Contains values that affect multiple components of the chart.
global:
  imageK8S: "consul-k8s-control-plane:local"
  image: "hashicorp/consul:1.18"
  logLevel: debug
  tls:
    enabled: true
  acls:
    manageSystemACLs: true
server:
  enabled: true
  # The number of server agents to run. This determines the fault tolerance of the cluster.
  replicas: 1
# Contains values that configure the Consul UI.
ui:
  enabled: true
# Configures and installs the automatic Consul Connect sidecar injector.
connectInject:
  enabled: true
  transparentProxy:
    defaultEnabled: true
    defaultOverwriteProbes: true
dns:
  enabled: true
  enableRedirection: true
terminatingGateways:
  enabled: true

intention.yaml

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: bender
  namespace: default
spec:
  destination:
    name: zoidberg
  sources:
    - name: bender
      action: allow

payload.json

{
  "Datacenter": "dc1",
  "Node": "gwtime-worker2-virtual",
  "NodeMeta": {
    "external-node": "true",
    "external-probe": "true"
  },
  "Address": "10.96.240.216",
  "Service": {
    "ID": "zoidberg-external",
    "Service": "zoidberg",
    "Tags": [
      "zoidberg",
      "v1"
    ],
    "Meta": {
      "external": "true"
    },
    "Port": 8081
  },
  "Check": {
    "Node": "gwtime-worker2-virtual",
    "CheckID": "service:zoidberg-external",
    "Name": "zoidberg",
    "Notes": "Script based health check",
    "Status": "passing",
    "ServiceID": "zoidberg-external",
    "Definition": {
      "HTTP": "localhost:8081/health",
      "Interval": "5s",
      "Timeout": "1s",
      "DeregisterCriticalServiceAfter": "30s"
    }
  }
}

proxy-defaults.yaml

apiVersion: consul.hashicorp.com/v1alpha1
kind: ProxyDefaults
metadata:
  name: global
spec:
  config:
    protocol: http

start.sh

#!/bin/bash

set -e

export CONSUL_K8S_CHARTS_LOCATION="$HOME/hashi/consul-k8s/charts/consul"

if [ -z "$(kind get clusters | grep "termgw")" ]; then
	kind create cluster --config cluster.yaml
fi

kind load docker-image consul-k8s-control-plane:local -n termgw
kubectl create namespace consul
echo "helm installing"
helm upgrade --install consul "$CONSUL_K8S_CHARTS_LOCATION" -f ./consul_values.yaml -n consul --create-namespace --wait
echo "helm is done"
kubectl wait --timeout=180s --for=condition=Available=True deployments/consul-consul-connect-injector -n consul
kubectl apply -f ./proxy-defaults.yaml
kubectl apply -f ./bender-service.yaml
kubectl apply -f ./zoidberg-service.yaml
kubectl apply -f ./intention.yaml
kubectl apply -f ./termgw.yaml
kubectl get svc -n consul
kubectl port-forward service/consul-consul-ui 8501:443 -n consul &
export CONSUL_HTTP_ADDR="127.0.0.1:8501"
export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-consul-bootstrap-acl-token --template={{.data.token}} | base64 -d)
export CONSUL_HTTP_SSL=true
export CONSUL_HTTP_SSL_VERIFY=false

# register zoidberg service
ip=$(kubectl get service/zoidberg-external -o jsonpath='{.spec.clusterIP}')
tmp=$(mktemp)
jq --arg a "$ip" '.Address = $a' ./payload.json >"$tmp" && mv "$tmp" ./payload.json
curl \
	-k \
	--request PUT \
	--data @payload.json \
	--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
	https://127.0.0.1:8501/v1/catalog/register

# update term gw role
consul acl policy create -name "zoidberg-write-policy" -rules @write-policy.hcl
termgwRoleID=$(consul acl role list -format=json | jq --raw-output '[.[] | select(.Name | endswith("-terminating-gateway-acl-role"))] | if (. | length) == 1 then (. | first | .ID) else "Unable to determine the role ID because there are multiple roles matching this name.\n" | halt_error end')
consul acl role update -id "$termgwRoleID" -policy-name zoidberg-write-policy

termgw.yaml

apiVersion: consul.hashicorp.com/v1alpha1
kind: TerminatingGateway
metadata:
  name: terminating-gateway
spec:
  services:
    - name: zoidberg

write-policy.hcl

service "zoidberg" {
  policy = "write"
}

zoidberg-service.yaml

---
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
  name: zoidberg-external
  namespace: default
spec:
  protocol: http
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: zoidberg-external
    external: "true"
  name: zoidberg-external
  namespace: default
spec:
  ports:
  - port: 8081
    name: high
    protocol: TCP
    targetPort: 8081
  selector:
    app: zoidberg-external
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: zoidberg-external
  namespace: default
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: zoidberg-external
  name: zoidberg-external
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: zoidberg-external
  template:
    metadata:
      labels:
        app: zoidberg-external
      annotations:
        'consul.hashicorp.com/connect-inject': 'false'
    spec:
      serviceAccountName: zoidberg-external
      containers:
        - name: zoidberg-external
          image: nicholasjackson/fake-service:v0.26.0
          ports:
            - containerPort: 8081
          env:
            - name: LISTEN_ADDR
              value: "0.0.0.0:8081"
            - name: NAME
              value: zoidberg-external
            - name: MESSAGE
              value: "why not zoidberg-external"
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: CONSUL_HTTP_TOKEN
              value: root